CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 08, 2026

New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access

Cybersecurity News Archived Jun 08, 2026 ✓ Full text saved

A newly identified piece of Windows malware is raising serious concerns among cybersecurity professionals for its wide reach and unusually deep set of capabilities. Discovered through underground channels linked to Telegram, the threat known as Lucid Stealer goes far beyond stealing a few stored passwords. It can take full control of an infected machine without […] The post New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access appeared first on Cyber

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access By Tushar Subhra Dutta June 8, 2026 A newly identified piece of Windows malware is raising serious concerns among cybersecurity professionals for its wide reach and unusually deep set of capabilities. Discovered through underground channels linked to Telegram, the threat known as Lucid Stealer goes far beyond stealing a few stored passwords. It can take full control of an infected machine without the victim ever noticing anything is wrong. What makes this malware particularly dangerous is how it disguises itself. The entire malicious package is wrapped inside a legitimate Node.js runtime, making it look like a normal software application to most standard security tools. This clever packaging allows it to slip past basic defenses while quietly carrying out a wide range of harmful activities in the background. Researchers at Foresiet identified and statically analyzed this Lucid Stealer build after noticing renewed activity tied to a dedicated Telegram channel promoting the tool as a paid, subscription-based product.  Foresiet said in a report shared with Cyber Security News (CSN) that the sample is far more capable than a typical credential stealer, combining data theft with live remote access in a single build. The malware is sold as a commercial service, complete with a hosted web panel, license keys, and an active support channel. The operators briefly shut down the project in late May 2026 before relaunching it days later, announcing a full rebuild of the site and even a planned move away from Node.js toward Java for better evasion. This shows that the people behind it are actively investing in improving and expanding the threat. The situation is especially serious because infections should be treated as full compromises. Credentials, browser cookies, Discord sessions, crypto wallet keys, and Roblox session data are all at risk the moment the malware runs. Defenders are urged to act fast and assume everything stored on the infected machine has already been seen by the attacker. New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens Lucid Stealer is built to steal from nearly every corner of a user’s digital life. The analyzed build targets 18 browsers, 21 cryptocurrency clipper formats, seven desktop wallets, seven wallet browser extensions, and four Discord client variants. Lucid Stealer web authentication panel (Source – Foresiet) It goes after saved credentials, session cookies, autofill data, and browser history using a bundled SQLite tool to query copied browser databases directly. The malware injects itself into Discord clients to steal tokens and modify the app to send stolen data back continuously. It also monitors clipboard activity, so any crypto wallet address a victim copies can be silently swapped with one controlled by the attacker. These capabilities work together to drain both financial accounts and communication platforms at the same time. What truly sets this threat apart is its remote access module. The malware includes a hidden desktop control feature, called HVNC, that lets operators take over a machine visually without opening any visible window on the victim’s screen. Combined with a remote shell, a file manager, keylogging, and screenshot capture, the attacker has essentially the same access as if they were sitting in front of the machine themselves. Infection Chain and Detection Guidance for Defenders The malware arrives in a password-protected ZIP archive. Once opened, it runs through a layered setup process that drops helper files, sets up persistence in the Windows registry, and optionally tries to gain elevated privileges. Infection flow (Source – Foresiet) By the time the main payload decrypts and runs, the attacker already has a stable foothold. Security teams should focus on behavior-based detection rather than relying only on file hashes, since the operators have already announced plans to rebuild the malware on a new platform. Hunting for temporary self-copies in the Windows TEMP folder disguised as “winupd” files, suspicious HKCU Run registry entries named WindowsUpdate, and unexpected .node module files appearing in user profiles are among the strongest signals of an active infection. Network defenders should block all traffic to the known C2 address and watch for repeated POST requests to internal log and upload endpoints as additional confirmation. Indicators of Compromise (IoCs) Type Indicator Description SHA-256 a380e66f381c9f88f4f221906f12b73e1f43517c8e5f6affcaca71fad3340d5f Outer WinZip-AES password-protected ZIP archive SHA-256 101351cff5f971cd39bd6280be02a5e0e8f08d9874cae78b971e3a421a7050f6 Inner 100 MB Windows x64 Node.js SEA executable (primary payload) SHA-256 8422c48d6301426a39bf9b3d7f11bdbe e7708e8a4e58171f38a5b5e51a8a53b8 Embedded ~8.5 MB NODE_SEA_BLOB JavaScript loader SHA-256 cad3f0dde70a5d37c996abee75f39aff8e7603862f071a8c85cb48ee5482750f Decrypted JavaScript stealer/RAT core payload SHA-256 5e33fe030fb7c3bbe2bca1f70f21a406716961aefdfb1bc030d7c65b7db055e9 Bundled SQLite helper binary SHA-256 fc52b15848191ad97213d49c7f3c21760e1cc9507d5fb0d77fa75b7620c0deac UAC/elevation native N-API addon SHA-256 6fb83f431f43d7b13e411676cdaa98d8ce005ffd61eed9d1d117698476acfb44 HVNC hidden desktop control native module SHA-256 18e61b06068a8dd71e19ed3b117e4b0800f6dfbf252f381961dbb15b44ecc481 RobotJS screen capture and synthetic input addon SHA-256 f85e5b19198cc4800be76346bb2868abdd45acbb314968cf2fe41cb18b502bfa Canvas addon for screenshots and streaming IP Address 45[.]138[.]16[.]107:3001 Primary C2 command-and-control endpoint (hard-coded in sample, AS210558) IP Address 85[.]239[.]155[.]68 Resolving infrastructure for lucidstealer[.]one at analysis time Domain lucidstealer[.]one User-supplied panel domain Domain iloveyoulucid[.]space User-supplied panel domain; resolved in DNS at analysis time Domain ghdfhfjhfg[.]webhop[.]me User-supplied panel domain; no DNS resolution at analysis time Domain 0kt[.]one User-supplied panel domain; resolved in DNS at analysis time Domain storedonutsmp[.]net User-supplied panel domain; resolved in DNS at analysis time URI /upload Stolen-data archive upload endpoint URI /internal/log Metadata and keylog telemetry endpoint URI /dc-injector Discord injection payload retrieval endpoint URI /ws WebSocket C2 communication path File %TEMP%\winupd_<random>.exe Hidden self-copy of the loader File %TEMP%_sq3e_<pid>.exe Dropped SQLite helper binary File %LOCALAPPDATA%\Common\<id>*.node Dropped native addons (UAC, HVNC, RobotJS, Canvas) File %TEMP%\Data_<hwid>.zip Staged exfiltration archive File %TEMP%\uac.log.txt Loader and elevation activity log File %TEMP%\lucid_err.log Loader error log Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate Autorun persistence value pointing to loader self-copy Crypto Address bc1qj0uraqhgquwcwdlhazy7ahzypz7r987z89dhwe BTC clipper replacement address (disabled in this build) Crypto Address 0x239df70C0d328dEb4187A8B50a70ead8cbb1f48D ETH clipper replacement address (disabled in this build) Crypto Address LYUQyhrqHS9VXzRkQWRHvVEtr5aCCSoVig LTC clipper replacement address (disabled in this build) License Key LUCID-M8NJ-SLBQ-ROI2 Embedded license key found in sample configuration Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Claude Down for Users Worldwide as Hundreds Report Service Issues Anthropic Expands Project Glasswing Claude Mythos Preview to 150 New Organizations CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks Latest News Chrome Chrome Patches 429 Vulnerabilities Including 22 Critical Ones – Update Now! Cyber Security OWASP Releases AI Security Report to Empower Security Professionals with New Tools Cyber Security News Internet Explorer WebBrowser Control Attack Chain Turns Clicks Into RCE Cyber Security News Multiple VMware Stored XSS Vulnerabilities Allow Attackers to Inject Malicious Scripts Cyber Security News UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 08, 2026
    Archived
    Jun 08, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗